shark: Add kanidm

2023-09-16 22:21:47 +02:00 · 2023-09-16 22:21:47 +02:00 · 84d1eb69fd
parent 36b768b3b2
commit 84d1eb69fd
2 changed files with 52 additions and 10 deletions
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@ -5,6 +5,8 @@
      ./hardware-configuration.nix
      ../../base.nix
      ../../misc/metrics-exporters.nix
+
+      ./services/kanidm.nix
    ];

  sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
@ -15,25 +17,16 @@
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

-  networking.hostName = "shark"; # Define your hostname.
+  networking.hostName = "shark";

  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
    address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };

-  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];

-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?

 }
--- a/hosts/shark/services/kanidm.nix
+++ b/hosts/shark/services/kanidm.nix
@ -0,0 +1,49 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.kanidm;
+  domain = "auth.pvv.ntnu.no";
+  bindaddr_web = "127.0.0.1:8300"; #
+  bindaddr_ldaps = "0.0.0.0:636";
+in {
+  # Kanidm - Identity management / auth provider
+  services.kanidm = {
+    enableServer = true;
+
+    serverSettings = let
+      credsDir = "/run/credentials/kanidm.service";
+    in {
+      inherit domain;
+      ldapbindaddress = bindaddr_ldaps;
+      bindaddress = bindaddr_web;
+      origin = "https://${domain}";
+
+      tls_chain = "${credsDir}/fullchain.pem";
+      tls_key = "${credsDir}/key.pem";
+    };
+  };
+
+  systemd.services.kanidm = let
+    certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
+  in {
+    requires = [ "acme-finished-${certName}.target" ];
+    serviceConfig.LoadCredential = let
+      certDir = config.security.acme.certs.${certName}.directory;
+    in [
+      "fullchain.pem:${certDir}/fullchain.pem"
+      "key.pem:${certDir}/key.pem"
+    ];
+  };
+
+  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "https://${cfg.serverSettings.bindaddress}";
+  };
+
+  environment = {
+    systemPackages = [ pkgs.kanidm ]; # CLI tool
+    etc."kanidm/config".text = ''
+      uri="${cfg.serverSettings.origin}"
+    '';
+  };
+ }